1. Field of the Invention
The invention relates to the field of data processing systems, and more specifically to a method, apparatus, and product for establishing virtual endorsement credentials for dynamically generated virtual endorsement keys that are generated for multiple logical partitions in a trusted computing platform.
2. Description of the Related Art
Most data processing systems contain sensitive data and sensitive operations that need to be protected. For example, the integrity of configuration information needs to be protected from illegitimate modification, while other information, such as a password file, needs to be protected from illegitimate disclosure. As another example, a data processing system needs to be able to reliably identify itself to other data processing systems.
An operator of a given data processing system may employ many different types of security mechanisms to protect the data processing system. For example, the operating system on the data processing system may provide various software mechanisms to protect sensitive data, such as various authentication and authorization schemes, while certain hardware devices and software applications may rely upon hardware mechanisms to protect sensitive data, such as hardware security tokens and biometric sensor devices.
The integrity of a data processing system's data and its operations, however, centers around the issue of trust. A data processing system's data and operations can be verified or accepted by another entity if that entity has some manner for establishing trust with the data processing system with respect to particular data items or particular operations.
Hence, the ability to protect a data processing system is limited by the manner in which trust is created or rooted within the data processing system. To address the issues of protecting data processing systems, a consortium of companies has formed the Trusted Computing Group (TCG) to develop and to promulgate open standards and specifications for trusted computing. According to the specifications of the Trusted Computing Group, trust within a given data processing system or trust between a data processing system and another entity is based on the existence of a hardware component within the data processing system that has been termed the trusted platform module (TPM).
A trusted platform enables an entity to determine the state of the software environment in that platform and to seal data to a particular software environment in that platform. The entity deduces whether the state of the computing environment in that platform is acceptable before performing a transaction with that platform.
Present-day computing systems, and in particular large-scale server systems, often include support for running multiple virtual machines. The system may be a large-scale on-demand server system that executes hundreds of server instances on a single hardware platform to support customers with varying computing requirements. In the most flexible of these systems, multiple partitions, which may differ in operating system and application mix, are concurrently present in system memory, and processes executing in each partition are run in an environment that supports their execution on a guest operating system. The virtual machine provides an environment similar enough to a real hardware platform that the operating system can run with little or no modification. A hypervisor (sometimes referred to as a virtual machine monitor) manages all of the virtual machines or partitions and abstracts system resources so that each partition provides a machine-like environment to each operating system instance.
To implement the above architectural goals, multiple processing modules and other devices are installed in a system, and each device generally supports one or more of the above-described partitions, although it is possible to share tasking on a partition between multiple devices. Groups of devices or an individual device may be associated with a particular customer and it is desirable to secure access to a device or group by only that customer including securing the devices from the manufacturer of the devices and system.
In order to provide security in such a system, devices must be bound to the system, avoiding removal and data mining that can occur by either extracting data from a device, or using a device to “impersonate” a system or portion thereof, from which it was extracted. Binding can be physical, e.g., the device is permanently attached to the system, or binding can be accomplished cryptographically, allowing for removable devices and networked systems.
The above-mentioned removable and networked devices provide protection from data tampering or impersonation by refusing to initiate in a system unless the device is cryptographically bound to the system. The information associated with the binding is generally encrypted and is stored in non-volatile storage within the device by the manufacturer. With the above-described mechanism, only a trusted system can access data associated with or stored within a particular device, dramatically reducing the impact of misappropriation or misuse of removable devices. Further, data associated with a device (such as a stored context or “state” of one of the above-mentioned virtual machines) is secured by an encryption mechanism that requires a key that is stored within the associated device or devices. The two-layer mechanism: hardware binding and data encryption keyed to a particular device or devices provides a high level of security against data mining by misappropriation or misuse of removable devices.
A single Endorsement Key (EK) pair is typically stored in a hardware trusted platform module (TPM). Each Endorsement Key pair is unique to the particular hardware TPM in which it is stored. The Endorsement Key pair includes a public Endorsement Key and its corresponding private Endorsement Key. If the public Endorsement Key is used to encrypt data, only the private Endorsement Key that corresponds to that public key is capable of decrypting the encrypted data. If the private Endorsement Key is used to encrypt data, only the public Endorsement Key that corresponds to that private key is capable of decrypting the encrypted data.
The Endorsement Key pair is stored within its TPM by the manufacturer of the TPM when the TPM is manufactured.
In addition to the Endorsement Key, an Endorsement Credential is also stored within the TPM by the manufacturer of the TPM when the TPM is manufactured. The Endorsement Credential includes a copy of the TPM's public Endorsement Key.
The Endorsement Key and Endorsement Credential are used to identify a particular TPM to a trusted third party, which is external to the system that includes the TPM, in order to obtain an Attestation Identity Key (AIK) certificate from the trusted third party. An Attestation Identity Key is used by a system to indicate that the system includes a TPM and that the TPM is valid.
Most known systems use a single hardware TPM to provide trust services to the entire system. One hardware TPM is designed to provide support for a single, non-partitionable computer system. Thus, existing systems utilize a single hardware TPM to provide trust for the entire single system.
High-performance servers, though, support partitionable, multithreaded environments that may need access to a trusted platform module on multiple threads simultaneously. This type of environment allocates, or partitions, physical resources to each of the supported multiple partitions. In addition, each partition can be thought of as a separate logical computer system that can execute its own operating system and applications. The operating system executed by one partition may be different from the operating systems being executed by the other partitions.
For systems that include a single hardware TPM and multiple logical partitions, a need exists for providing a unique Endorsement Key pair and Endorsement Credential for each logical partition. Thus, for example, if the system includes four logical partitions, four separate and unique Endorsement Key pairs and associated Endorsement Credentials would be needed.
It is not practical, however, to generate and store multiple Endorsement Key pairs and Endorsement Credentials in a hardware TPM because the complex systems that include this TPM permit logical partitions to be created and destroyed as needed. Therefore, the number of logical partitions, and thus the number of needed Endorsement Key pairs and Endorsement Credentials, is not known when the TPM is manufactured.
Therefore, a need exists for a method, apparatus, and product for establishing virtual endorsement credentials for dynamically generated virtual endorsement key pairs that are generated for multiple logical partitions in a trusted computing platform.